Jump to content


Photo

The worst trojan on the net


  • This topic is locked This topic is locked
141 replies to this topic

#51 relinquished423

relinquished423

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 31 July 2004 - 04:43 AM

all i can say is good luck i hope this Motherfu**er gets destroyed

#52 yowiejim

yowiejim

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 31 July 2004 - 07:13 AM

To all who are infected. Whats the worst thing this trojan can do to you? Have you ever tied just living with it. I suspect that most people can. some people loose sight of whats important. Pesonaly I would keep my $850 worth of gear and keep useing it (unless it prevented me from doing so). Just wait for the big boys to sort it. then do something.

#53 TrojanMakersMustDie

TrojanMakersMustDie

    Member

  • New Member
  • Pip
  • 2 posts

Posted 01 August 2004 - 10:39 PM

:bounce: Thank you, thank you, thank you. Swami and Awatson, I feel your pain. This past week has been a painful and humbling experience, and rather than get into a long winded "me too" story, I'll sum up by saying all that you've said is spot on, and I'm still surprised there isn't more talk on the net about this vile threat.

I thought my brother was losing it, as I walked him through numerous ways to deal with trojan/viruses to remove them, and no dice. Not believing he was doing it right, I had him bring his infected drive over, to put on my "test" machine; one that I routinely thrash with programming projects, and can wipe and restore rather easily, to see what I could do to cure his ills.

While I was trying all the previously listed remedy attempts with zero success, he asked if it was okay to get on my other machine to read his e-mail. I made sure he had a limited account (Completely restricted account under Win2kPro), AV was on and at the highest levels, all the latest updates for virus and system security, behind firewall/router up, and told him okay. I didn't know how he got this virus (either from cracked software, e-mail or script/security backdoor), but saw zero danger in reading e-mail. Toyed with rebooting into the MEPIS partition and giving him even more restricted access, but know now this probably wouldn't have helped.

After a few minutes, he said "oh f!%!#%" and yelled for me to come over and showed me a link he was told to go to, that was "spoofed". He was going through his Yahoo e-mail through IE, downloaded a voicemail attachment (could have killed him when he said that) from a trusted vender that he was expecting (J2 messenger) and then told to go download a reader for it at some address. Too late, after downloading the infected file, he got paranoid and noticed the website link was a spoof to some other site.

Going off what I knew then about infections, I immediately killed all activity, booted into "safe" mode, and started running a full virus scan with Norton's. As the scan ran, my seemingly overly paranoid brother just a few minutes ago, noted that "it's doing the same thing that my machine did" as the scanner started not going through all files and sub directories systematically, but jumping from key directory to key directory of either usefull information(mail, documents, etc.) or common tools or useful utilitity directories(scanners, system tools, system directories, etc.) and either mining or infecting as it went.

Now, as scared and as paranoid as I used to think my brother was, I quickly killed this, and attempted to boot "safely" from CD to get a clean scan. Then to my horror, I witnessed the same traits as my brother's infected machine showed.

With the variant I've been dealing with, the verifiable test for in fections is on boot, anytime any useful tool or program that even touches or access the partition table, upon starting or accessing the infected drive, it triggers an isolinix2.07 loader(from hidden bootsector other than MBR or BIOS?), puts a ramdisk on your machine (/BOOT/modules/memdisk), mounts freedos (if DOS utility requested) or small linux kernel (if Linux bootdisk), tells the system that the ramdisk is a low-level CD-rom drive, puts all the usual dos utililies used to help deal with these situations there (Fdisk, format, command.com, etc..) then sets a path with the new ramdisk location (for dos) or aliases (for linux) at the top of the order.

Also of note is when I checked it on his first infected machine, a Mac OS X notebook, noted that in addition to spoofing some useful websites (popular virus scanning/trojan sites, forums), I dug a little furter. Found while an infected machine is on-line, it broadcasts your IP to a couple sites, possibly more, and then shares out your drive for access. Once I noted this, didn't even bother yanking the cable or shutting the machine down, just yanked the plug.

Hope this new information sparks some thought, or possibly sheds some mroe light on the delivery method. Already in contact with Norton and some local computer security companies that want the infected drives for study.

In the meantime its become a personal challenge to discover the delivery and hardiness of this thing. I refuse to admit defeat after all this time, effort and loss to my brother and myself. It still confounds and amazes me how with a pre '96 motherboard, serial mouse, non-macro keyboard, old S3 virge (non flashable) vid card, low-level wiped hard drive, no power and CMOS battery left out overnight, and then booted with no drive connected via clean bootCD, this thing lives on.

Only test left I can think of is wipe the BIOS, do all the above, and boot from a clean CD and see if the damn thing still remains?

#54 pillo79

pillo79

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 02 August 2004 - 03:51 AM

I think the word "Ramdisk" is misleading. Let's call the space used to store the trojan (all its files needed for Linux and Windows) "flash storage".


Remember that there is both a ramdisk and a (thus far theoretical) bios infection, and we don't know the nature of their relationship yet.

<tangent>
I guess the ramdisk could be used to retrieve, store, and process information that couldn't fit in the bios. So the contents wouldn't necessarily have to be the same, until the next time the machine was powered on.
</tangent>

Slow down. If a Ramdisk is created while the PC is booting (or after, for that matter), well, I can assure you that nothing in any DRAM survives without power for a full second. That's for sure. So, if there is a ramdisk, its contents must be recreated each time the machine is powered up, so the (maybe compressed) backup is somewhere in nonvolatile storage. Since it appears to outlive even HD swaps, it must be in the BIOS, or other Flash media.

Anyway, does it necessarily have to be run by the OS?
We have a ramdisk happily running along, even before the OS is loaded. Couldn't a module be activated from there, once a vulnerable OS was recognized?

Maybe. I'm not sure how Windows would treat a "ramdisk" present at boot, but to activate a module there must be something that triggers the execution from the os side. (Which, BTW, could have been easily the program downloaded by TrojanMakersMustDie, but obviously this wouldn't survive a format...)

News from TrojanMakersMustDie are detailed and terrifying. :eek:
Let me check if I understood you correctly.

With the variant I've been dealing with, the verifiable test for in fections is on boot, anytime any useful tool or program that even touches or access the partition table, upon starting or accessing the infected drive, it triggers an isolinix2.07 loader ...

You mean that, for example, you try to boot with a DOS bootdisk, and when you type "fdisk", isolinux gets loaded?? That's a bit weird...
Did you mean that the isolinux gets loaded each time the system is started, and all accesses to fdisk get redirected to a fake one?

Also,

the scanner started not going through all files and sub directories systematically, but jumping from key directory to key directory of either usefull information(mail, documents, etc.) or common tools or useful utilitity directories(scanners, system tools, system directories, etc.) ...

Wait a second; are you sure this isn't perfectly standard behaviour? I have not much experience with AV tools, but some I used did this "non-standard" ordering, the reason being that system dirs and user documents are the most likely to contain viruses.

Anyways, this is certainly bad news... :unsure:

#55 TrojanMakersMustDie

TrojanMakersMustDie

    Member

  • New Member
  • Pip
  • 2 posts

Posted 03 August 2004 - 12:21 PM

You mean that, for example, you try to boot with a DOS bootdisk, and when you type "fdisk", isolinux gets loaded?? That's a bit weird...
Did you mean that the isolinux gets loaded each time the system is started, and all accesses to fdisk get redirected to a fake one?


If you boot from the infected drive, accessing the partition table or MBR kicks off the isolinux loader.

If you boot from a clean bootdisk, and access the infected drive with common tools, you get garbage. Sorry, was a bit tired when I wrote that, so got a bit garbled together.

Wait a second; are you sure this isn't perfectly standard behaviour? I have not much experience with AV tools, but some I used did this "non-standard" ordering, the reason being that system dirs and user documents are the most likely to contain viruses.


I not 100% possitive, but I believe Norton's version of AV does systematically scan directories and files with its full scan scanner (in windows). If I had a clean machine with it installed right now, I'd verify... ;)

Here's the latest on trying to cure this ill.

On my infected machine I didn't mind wiping, I:

- Removed all peripherals, power, cables, popped CMOS battery and left overnight.
- inserted new vid card, and *should* be clean RAM in the machine.
- Boot from clean DOS boot disk
- insert BIOS flash and newer flash file disc made on clean machine
- flashed the BIOS, cleared all settings, reboot.
- reboot from clean DOS boot disk
- wipe infected machine completely with low-level disc util (Active@ Kill Disk - Hard Drive Eraser)
- reboot, repartion from clean DOS boot disk
- reboot, try to install OS from clean BootCD
- BootCD fails to boot (??? used to work before)
- boot from clean DOS boot disk with CD support
- installing OS (once with win98fe, once with debian, once with MEPIS) fails after loading or when accessing hard drive to put temp files on.

What I'm trying to determine is if the new BIOS (it was one of the few ones I could find, that is an update from the BIOS I used to have) has caused these latest failings, or if the machine is still infected. I'm also trying to find the original BIOS that I can download, but Tekram no longer has support for the P5MVP-B4 board I have, and unsuccessful finding version 1.15 on the net for it.

Once I do find it, I'll reflash, and see if that solves the booting/install issue. Also trying to document things that could be potential indicators for this virus being present on other machines. More when I know it.

#56 pillo79

pillo79

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 04 August 2004 - 03:36 AM

If you boot from the infected drive, accessing the partition table or MBR kicks off the isolinux loader.
If you boot from a clean bootdisk, and access the infected drive with common tools, you get garbage.

Oh I see. If I remember correctly there were viruses that acted this way in the "old days" of DOS, replacing boot sectors and partition tables with pure garbage that only the virus itself is able to load.

- installing OS (once with win98fe, once with debian, once with MEPIS) fails after loading or when accessing hard drive to put temp files on.

The tool you used to wipe the disk worked, though. So why only OS installations fail? If the virus has some anti-install code, I believe it should have reacted even when the wiping tool tried to access the disk. :wtf:
Could you please tell me the exact error that shows up, e.g. from the Debian boot disk? Does it report a good partition table and stops while copying? Or does it hang on boot at "Partition check: hda", for example?


What I'm trying to determine is if the new BIOS (it was one of the few ones I could find, that is an update from the BIOS I used to have) has caused these latest failings, or if the machine is still infected.

Damn you're right. Soooo many things to check I'm losing track of them :ugh:

#57 kman

kman

    Member

  • New Member
  • Pip
  • 2 posts

Posted 06 August 2004 - 01:01 PM

Thank god I found this forum. I thought I was losing my mind as I've been fighting this thing through 3 computers, two of which were brand new out-of-the-box laptops.

This trojan/virus or whatever you want to call it is the scariest thing I've ever seen. Some how, some way it 'learns' and develops counter measures to everything you try. The potential damage this could cause is beyond belief.

After reading through the other posts -and from my personal experience with the beast - here are my thoughts..

There has been one link: nvidia. (all three of my computers had nvidia drivers, plus it would explain how this thing is spreading cross platform.) Theory: a line of code that set to 'listen' for outside code/instructions.

ROM/Bootdisc or something similar. Once it has come alive it has to start up before the OS and then gain access to the entire system. Theory: Simple wake-up code stored in firmware/flash, ROM or something similar that starts before the OS.

Gaining control. Once it 'wakes up' after starting the computer it somehow gains permission and access to EVERYTHING. Theory: UPnP devices. It fighting this, I've done everything possible, clean install, system restores, wiped the memory, etc. Through this process, the one area of the system that is always acting slightly off is PNP/UPnP. (Devices are not connected with the proper drivers, weird drivers are in the system, system won't allow you to change drivers, etc.) The 2 most frequently odd-acting PNP/UPnP drivers are the 1394 and the nvidia. My guess is that it uses the 1394 as a 'transmit' driver to the communicate to the outside world becasue the 1394 can be bridged to the other networking drivers. It then uses the UPnP drivers as it's base of operations within the system.

What a relief (clouded with a little fear, frankly) that there are others going throught the exact same thing. This has consumed me...I've spent countless hours fight it...my company's IT people have looked at, they've seen what it does and said they can't believe what they are seeing that it's impossible for it to be happeneing...even though they are watching it happen!!!

#58 lil_dragon

lil_dragon

    Smoking Spyware since 2004!!!

  • Helper Trainee
  • Pip
  • 40 posts

Posted 06 August 2004 - 03:41 PM

I have seen this virus on *alot* of computers I run a computer repair shop and have seen it on almost all coputers sent in. This thing is really scary.


To all the people that have been infected with this thing...How do you know or noticed that you were infected? What were some of the characteistics that you noticed? Does this thing create files that can easily be associated with this thing? If so, what are their names? For my own sanctity, I just want to know how to check my comp if I have contracted this evil thing or not.

Also...

There has been one link: nvidia.  (all three of my computers had nvidia drivers, plus it would explain how this thing is spreading cross platform.)


Have you tried swapping your nVidia card for an ATI card? To all who have posted that they have this thing, some of the troubleshooting they have done is to swap out the mb/processor chip, complete low level formats, change os, etc... However, I don't recall that a swap of the graphics chip card had been done even though it was brought up as a possible theory of how this thing survives all troubleshooting efforts with some of the posters.

And another thing...

My guess is that it uses the 1394 as a 'transmit' driver to the communicate to the outside world becasue the 1394 can be bridged to the other networking drivers.


Does this thing apply to those who have high speed internet only? Or can it affect those on dial up as well? What happens if you disable the 1394 Connection? Just some thought and things that I'm curious about. This thing is quite disturbing.

#59 kman

kman

    Member

  • New Member
  • Pip
  • 2 posts

Posted 06 August 2004 - 04:56 PM

In my case, I noticed a slight delay in things...the startup screen stayed on too long, websites were just a little to slow to load, just small little things that most probably wouldn't notice...I tried using msconfig to do a selective start-up and that was when things really got interesting. after turning off the drivers and services i went to restart my computer. a screen popped up that said "End Program --- Sample" which would block the machine from restarting with the changes. Did a search for a program named 'Sample' nothing. this same pop-up dialog would occur any time i attempted to make changes to the way the computer would load or start up. this went on for about 2 weeks. then i got sisoftware Sandra, it found the program 'Sample' but when I clicked on it the entire machine just froze.

i tried to uninstall and disable the 1394 connection. the system won't allow me to.

when i got the second laptop -after returning the first for the same problems- i set up all the users and passwords, turned on the firewall and only used dial-up to try and get the xp updates and update my antivirus. I was able to download everything but none of the patches or updates were installed.

#60 lil_dragon

lil_dragon

    Smoking Spyware since 2004!!!

  • Helper Trainee
  • Pip
  • 40 posts

Posted 06 August 2004 - 11:05 PM

I thought I was losing my mind as I've been fighting this thing through 3 computers, two of which were brand new out-of-the-box laptops.

when i got the second laptop -after returning the first for the same problems- i set up all the users and passwords, turned on the firewall and only used dial-up to try and get the xp updates and update my antivirus. I was able to download everything but none of the patches or updates were installed.


kman,

I was just wondering how you contracted this thing if you had new computers? Another poster, Swami I beleive, mentioned that he got it from a file that he downloaded from a particular p2p software that he used. If you had a brand new computer, how did you get infected? Did it come to you that way already installed on your new computer? Did you connect to a home/work network in which it contained an infected computer? Were the new computers you received provided to you from your company, in which I can't beleive any business would allow their employees to have p2p software on their computers, or are they units that you personally bought? I'm just trying to make some sense on how this thing travels since you didn't state how you got infected? And it seems to be contracted in a different manner than other posters such as Swami. Could this be the same trojan/virus or is what you have different than that of the other posters.

#61 RunOrDie99

RunOrDie99

    Member

  • New Member
  • Pip
  • 1 posts

Posted 16 August 2004 - 12:45 AM

I've been lurking on these boards for a long time and I gotta say this is the first thread that compelled me to register so I could post a reply.

Most of the replies here seem to be from the same person just registering under a new nickname and adding a new reply whenever the thread goes off the front page.

Several purportedly "normal" users have discovered they have this virus, as per the "testimonials" on this board. There's even talk it has spread to many many computers. So how come the computer science experts out there, the people who design virus scanners or what have you, have never seen it? Why isn't it on every online news website? What, we get only supermen on these boards?

Use your brain. Taking this thing seriously just adds to the laughs of the people who aren't. Expect a few flames below, and some more testimonials to try and confuse the folks who see this as the piece of sci-fi it is.

#62 expert01

expert01

    Member

  • New Member
  • Pip
  • 4 posts

Posted 17 August 2004 - 08:26 AM

If this is indeed for real, then I would like links to the files that each of you downloaded, and any websites you visited that might be related. Also, if you send me your computers I could have a crack at it, since you have already written them off and I have a TON of computers that are okay to screw up, and plenty of parts to swap out. I could isolate the component that's causing this, and probably fix the problem and get your PC up and running again.

BTW, I have no experience writing virii or spyware. I just think that since files from 2 different locations were downloaded, then if the files are downloaded and examined (since I am sure they were downloaded and opened, which caused the problem, but they could be downloaded using a download manager and examined using a hex editor) they could be examined to find the code. Then, the files could be installed on a new machine, and if the machine was infected, the infection could be tracked. Or it could even be done using a virtual PC. Then, once finding the method it used and getting the infected files (or virtual hard disk drive image), it could be sent to an antivirus company, which would then be able to scan for it, and alert any necessary manufacturers of flaws in their products.

BTW, anyone else notice this line?: RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize

Is it normal for Linux to load 16 8mb RAM disks?

#63 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 17 August 2004 - 12:45 PM

ripped the basturd apart.... this is the catalog that keeps track of which files are infected and where. Someone take a look at this I am really sick of this bug........

oh and uhh check your drivers... there infected.

#64 expert01

expert01

    Member

  • New Member
  • Pip
  • 4 posts

Posted 17 August 2004 - 12:55 PM

Check whose drivers?

*edit* Also, if anyone could get the original files to me, I would like to see how the virus loads itself.

Edited by expert01, 17 August 2004 - 01:04 PM.


#65 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 17 August 2004 - 12:57 PM

I'm no expert with devices/drivers but some of the one's I see on my computer don't look normal plus the fact that there like quadruplicits of the same name...

see screen shoot

Edited by awuh0, 17 August 2004 - 12:58 PM.


#66 expert01

expert01

    Member

  • New Member
  • Pip
  • 4 posts

Posted 17 August 2004 - 01:12 PM

Having multiple copies of some of those is normal, I think. I know that I had that in Win98 every time, with a lot of diff computers.

Still looking for the original files, if someone remembers where they got them.

#67 expert01

expert01

    Member

  • New Member
  • Pip
  • 4 posts

Posted 17 August 2004 - 07:46 PM

Again, if anyone has the original files that infected their computer, I would like to download them and run them through Virtual PC, so I can compare the Hard Drive images before and after.

#68 Hack-Me-Gently

Hack-Me-Gently

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 August 2004 - 07:19 AM

I can't believe that I have FINALLY found some information on this virus/trojan or whatever it is! I have been battling the same symptoms for a year or so now. Nobody, and I mean NOBODY, has been able to help me. I always sensed that nobody even believed me because it was so odd. I posted my problem on another site about 2 months ago and not one person replied to it and I assume that is becuase this problem is basically unknown to most people. That post is here:

Remote attacks even with new computer

I have not finished reading this entire topic yet but I will be coming back to it soon.

I am still infected and I see that some of the members here have requested copies and I am very willing to submit same.

Angela from Vancouver, BC

#69 Wings

Wings

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 August 2004 - 10:41 AM

You know what I hate about forums like these (and the reason why I don't join them anymore), is that people are stupid. They spend time on their computer playing games 90% of the time and then they come to boards like these pretending that they're an expert. Those wanna-be-experts are the ones that believe this nonsense and they themselves spread it like a virus, making more and more people believe this nonsense story.

I remember a while back a guy named Kobra who made a list of virus scanners and how they performed. He only used a test bed of only 300 viruses. Which viruses he used (only macro viruses or trojans?), we'll never know. How did he test, did he always test on a clean system? We'll never know. Did he use max. settings? We'll never know, because he never replied to these questions.

In the end he made up a list of some 30 virus scanners and how high the detection rate was.
Because MKS_Vir was #1, suddenly you see people everywhere on boards posting download links to MKS_Vir.

So Kobra's list also acted like some kind of virus, the same with this bull story.
I must say, the one who made it up has a good sense of humor and I must admit that he story really spreads like a virus, since I'm reading it on more and more boards. Well done, you've managed to write a story with in some way a virus attached. Quite interesting when you think about it. What does harm the quality of this hoax is the number of users with 10 posts or less who are involved in this discussion, you should have done better than that! :D

But all in all well executed and I must say and with all these amateurs lurking around with no virus scanner in their skull (called brains), it's spreading faster than lightning! :D

Edited by Wings, 19 August 2004 - 12:34 PM.


#70 Wings

Wings

    Member

  • New Member
  • Pip
  • 3 posts

Posted 19 August 2004 - 05:36 PM

Script Defender
Ad Aware
About:Buster
Bho Demon
CWS Shredder
CWS Smart Killer Removal
Look2Me Removal (WinXP)
Look2Me Removal (WIN 98/ME)
Hijack This
PV.zip
Rapid Blaster Killer
Spybot Search And Destroy
Spyware Blaster
Peper Trojan Removal
Winsocks fix

Dude, that you don't have Webroot Spysweeper and Alura Spy Sweeper is totally beyond me...

You do know that these two are the top anti spyware programs that you can buy do you? :D

#71 Untouchable J

Untouchable J

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 20 August 2004 - 06:17 AM

Script Defender
Ad Aware
About:Buster
Bho Demon
CWS Shredder
CWS Smart Killer Removal
Look2Me Removal (WinXP)
Look2Me Removal (WIN 98/ME)
Hijack This
PV.zip
Rapid Blaster Killer
Spybot Search And Destroy
Spyware Blaster
Peper Trojan Removal
Winsocks fix

Dude, that you don't have Webroot Spysweeper and Alura Spy Sweeper is totally beyond me...

You do know that these two are the top anti spyware programs that you can buy do you? :D

You mean Aluria's Spyware Eliminator and no it isnt a good spyware removal program. They have a reputation of detecting alot of Fp's. I wouldnt recommend it to anybody. Also AOL's Spyware Proctection is based on Aluria's program(that should tell you alot).

Seems like nobody who actually have this trojan is posting anymore :hmmm:

I have one simple question though...What are some symptoms you can expect if your infected? Just curious so I could check myself if I may have this trojan (if its real or not)

Thanks

-J

#72 silverwolf

silverwolf

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 22 August 2004 - 03:31 PM

hi guys, first of all, i'm no computer guy at all, i don't even have a router or firewall stuff(except the software firewall) just here to make a stupid comment :p

Well, first of all, claps to this storyteller and those other guys who are infected by the UNKNOWN SUPER VIRUS
second, if it's a chinese or taiwanese stuff(which is not your own language stuff) why not go ask (i mean check out the net, don't tell me no chinese people can at least READ english) some chinese people about this thing???? as some of you said you had the same situation back in mid 2003, OH, so it's no more a news? or you're trying to say it's spreading with NO PEOPLE working on it??? let's say it does exist, then at least the writer of this virus can read english, agree? are you telling me chinese people use CHINESE to hack people or write programs?
third, you went to a site with username but not a normal address? huh? is that my reading problems or what?

sigh, i have to admit that reading the first 2,3 pages was fun, reminding me not to go to sites that look strange to me
but since the guys who got that virus is no more posting up, all i can say is:
send it to a anti virus company if you really do infected by THAT, they're more than happy to take that; if you're just making up stories, thank you, thanks for telling us not to touch any strange sites/files
thank you very much

#73 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 23 August 2004 - 03:36 AM

Ahh, back from 3 weeks of vacation.
And wow. This thread sure degenerated into pointless bickering...

Well, it was fun as long as it lasted, but if Swami doesn't sound off, I'm gonna have to assume that it was a trolling attempt...

Interesting discussion though.

#74 Wings

Wings

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 August 2004 - 09:21 PM

They have a reputation of detecting alot of Fp's. I wouldnt recommend it to anybody. Also AOL's Spyware Proctection is based on Aluria's program(that should tell you alot).

I read several professional tests that prove the opposite, so you tell me who I should believe, the pros or the amateur on some board? ;D

#75 Untouchable J

Untouchable J

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 24 August 2004 - 07:52 AM

They have a reputation of detecting alot of Fp's. I wouldnt recommend it to anybody. Also AOL's Spyware Proctection is based on Aluria's program(that should tell you alot).

I read several professional tests that prove the opposite, so you tell me who I should believe, the pros or the amateur on some board? ;D

Show me then and I'll show you facts to backup my statement. I havent heard one expert from security boards who would suggest Aluria's Spyware Program.

#76 silverwolf

silverwolf

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 24 August 2004 - 08:07 AM

They have a reputation of detecting alot of Fp's. I wouldnt recommend it to anybody. Also AOL's Spyware Proctection is based on Aluria's program(that should tell you alot).

I read several professional tests that prove the opposite, so you tell me who I should believe, the pros or the amateur on some board? ;D

Show me then and I'll show you facts to backup my statement. I havent heard one expert from security boards who would suggest Aluria's Spyware Program.

Jrshaw62:

he said he READ several tests, not he DID the tests, so either he's the people from Aluria or he's just a newbie trying to make himself look like an expert by making comments like that, in fact, he's just a clown to us ;D

Edited by silverwolf, 24 August 2004 - 08:08 AM.


#77 killer4prez

killer4prez

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 27 August 2004 - 11:45 PM

Does any one know the name of the virus?

Would you mind sending me a CD with the files found on your system?


You can get the virus from piaodown.net and piaodown.com and a crsky.net

Edited by killer4prez, 28 August 2004 - 12:20 AM.


#78 silverwolf

silverwolf

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 28 August 2004 - 08:41 AM

you registered another new account to keep the story goes on?
sigh, go get a life

#79 Untouchable J

Untouchable J

    Advanced Member

  • Full Member
  • PipPipPip
  • 205 posts

Posted 28 August 2004 - 04:11 PM

They have a reputation of detecting alot of Fp's. I wouldnt recommend it to anybody. Also AOL's Spyware Proctection is based on Aluria's program(that should tell you alot).

I read several professional tests that prove the opposite, so you tell me who I should believe, the pros or the amateur on some board? ;D

Show me then and I'll show you facts to backup my statement. I havent heard one expert from security boards who would suggest Aluria's Spyware Program.

Jrshaw62:

he said he READ several tests, not he DID the tests, so either he's the people from Aluria or he's just a newbie trying to make himself look like an expert by making comments like that, in fact, he's just a clown to us ;D

I was assuming he read the tests on the web :whistle:

Oh well...I still stand by my statement :cool:

#80 killer4prez

killer4prez

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 28 August 2004 - 06:30 PM

you registered another new account to keep the story goes on?
sigh, go get a life

Nop Sorry This is the first time posting on this board

#81 silverwolf

silverwolf

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 29 August 2004 - 08:17 AM

OH, sorry, but this topic is already done for a long time

#82 pillo79

pillo79

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 August 2004 - 08:53 AM

I left for some vacation too, and now I see the discussion gone astray. :mellow:
The last useful post from awuh0 is part of the Windows File Protection... have to check the CRC but it's a feature of Win2000/XP, not a trojan.
Well, so much for the extra-super-hyper-turbo-virus we were talking about :cool:

#83 awatson

awatson

    Member

  • New Member
  • Pip
  • 4 posts

Posted 04 September 2004 - 08:31 AM

Hello all,

Apologies for not posting any sooner than now. I find it a real shame, but quite predictable, that this topic has been dismissed as a fake and that all of the original posters claiming infection as a single person with multiple accounts. Predictable, because after dealing with this thing for a year and a half, I am quite used to others not believing in its existence, not accepting my findings as valid or honest, and doubting my ability to control an over-eager sense of paranoia. So, no love lost. In fact, I am what I feel is more a sense of disappointment, since I thought I had finally found a discussion thread that could possibly lead to a solution.

As for the individuals that will inevitably accuse me of simply being another phantom account instead of a real person, I'd be happy to verify my singular and factual existence via my paypal account - I can't think of a way (beyond professional fraud) of creating more than one verified paypal account, can anyone else? In any event, I have neither the time nor the patience to go around posting misleading messages on discussion boards under multiple fake personalities. Anyone that does should probably re-evaluate some of their priorities, motivations and goals in life... but hey: to each their own, I suppose.

Now, to answer a few questions for some messages back....

1) I have no idea what file or files initially infected the first of my machines. I initially discovered this virus during a session of backing up my main workstation prior to a new harddisk installation. Huge amounts of network activity were occurring and I was not using the network for anything at all... and, well, if you skip back some pages in this thread, you'll find my original post that describes the ensuing situation in detail.

2) I am happy to provide any soft- or hardcopy results of any series of actions or processes you like here. Granted, I'll be sure to censor out some sensitive data (a couple of octets my machine addresses, digits from my social security number, etc etc) but I will not alter or fabricate any sort of resulting data.

3) I have a few old Western Digital 3 Gig drives on a back shelf... I'd be happy to low-level format and install a legal, boxed copy of Windows XP Professional to the drives. I'll even pay the shipping to send a drive to anyone willing to help perform forensics and research, in the hopes that it can be eradicated. Granted, you will need to find some way to convince me that it would be worthwhile to do so, as opposed to wasting my time and money on someone that will just turn around and hybridize, copycat, spread or simply just accidentally infect their own machine with the virus.

Now a question of my own: Of the more reputable virus-protection software vendors in existence, does anyone have experienced information on the proper way to submit such evidence to them for analyis?? I would be happy to do such a thing. I can also provide a complete PC system, if necessary, but I will of course want the system back after it's all said and done!

In closing, I cannot vouche for the identity of anyone else on this message board... but I sincerely hope that the accusations that have been made are simply not true. To finally find more people that can relate to and share firsthand information about what I have been dealing with alone for so long... only to find that it was all just the product of a multiple poster with a bent sense of humour would be quite disheartening for me.

Regardless, I can assure you that both my identity and this virus are indeed based quite firmly in reality - one without any type of embellishment whatsoever.


Thanks for reading,

Adam

Edited by awatson, 04 September 2004 - 08:49 AM.


#84 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 05 September 2004 - 04:48 PM

Hello again.

No disrespect intended, but I treat this subject much like the question of intelligent life in space. It's possible, but until I see proof, I'm not spending any money on it.
Much like some of the other posters, I've participated because it was interesting, and possibly relevant for the future.

Currently I have 20 some machines at work intended for the scrap heap in the next couple of months, and I could use them for experimenting.

I also have access to some *serious* security resources through my workplace, should I be satisfied that the supervirus is real.

You can send me a private message if you are serious about this (using a real e-mail addy ofcourse), and I will mail back and provide you with the relevant info and shipping information.

Your move :)

#85 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 06 September 2004 - 05:15 AM

If you send it to _anyone_, send it to Symantec, Network Associates, and Trend Micro, then lock a drive in a safe at your lawyer's office and seal it. That way, you'can have legal evidence or a clean copy just in case they try to edit it to make you responsible.
Signature file is under revision. This will be back shortly.

#86 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 06 September 2004 - 08:14 AM

Or you could do as Tuxedo Jack suggests.

Either way, if you want to convince us once and for all, you're going to have to put your money where your mouth is.

No disrespect intended, just the way the world works. :)

#87 pcontour

pcontour

    Member

  • New Member
  • Pip
  • 2 posts

Posted 07 September 2004 - 01:41 AM

This is one of the most interesting threads ever.

The guy who started the thread has stopped writing in it altogether. I don't know enough to know whether I should believe :thumbsup: the whole thing or :thumbsdown: not. The most suspicious feature of the post is that the guy is not going to give the virus or any of the parts to any reputable business where it would be possible to prove that he was making it up. That's like claiming to find the shroud of Jesus and not letting anyone run Carbon dating. Anyways like I said the SWAMI is long gone so :wave: close up shop. Stop pounding away :bangbang: on each other.

I must say though, the SWAMI seems very clever :thumbsup: , and his insults to the Nimrod/Idiot were quite :thumbsup: excellent in intensity and effectiveness. I was laughing my head off :fotc: . Indeed the Swami knows too much for me to determine whether he made it up or not. And what person "who doesn't know much" would want the virus :thumbsdown: to examine? Another Pal in the conspiracy to dupe the dopes, stump the chumps, or mess with your melons.

I'll have to read my copy of how to win friends and influence people again, because the Swami infected me with the desire to flame you patoots. :rant: I'll have to break open the crate and give mouth a cleaning.

Final score 3 :thumbsup:, 2 :thumbsdown: - and the Swami told the truth. But wait overtime - with a name like Swami - you gotta believe that is suscpicous. It's a tie. We are in overtime and no-one takes my adviice to :wave: close up shop.

#88 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 07 September 2004 - 04:38 PM

*ignore bad sppelling public computer plus just lost 3 pharagraphs of info is frustrating enough with out online forum bums telling me I cant spell I dont have the time for it so get a life and then a job and stop b*tchin *

The origonal infection is done via a new hardware driver installed by MBR or autorun of a USB flash card / floppy / CD / whatever disk drive you carry around

from there the virus downloads compnents from other infected computers by some kind of common irc room or multicast i dunno.

after *multiple reboots and downloads* the virus scans the disk and starts nameing its componets unobtrisively.
spreads by network in an unknown way I think writeable shares / spoofed printer driver?/ ???
then it flash's the BIOS and/or something else so even a network wide low level format will not kill it

formating does force the virus to re-catalog your HDD and re-download componets

this is all the info I can give out now as I am short on time and this thing hurts my brain.

when I get my computers hooked back to the internet I will upload possible infected files / whatever else you want

at this point I will ask for losers who have nothing better to do then bog down the thread like silverwolf and who ever else to STFU and only people who want to help or have questions to talk....

now then... mabey we can make some progress and KILL THIS BASTURD....

PS Tuxedo Jack
I tryed to send it to several anti virs they ignore anything there own scanners miss / avoid doing anything with automated web / telephone stuff... If anyone has contacts with an AV vendor or is employed by a buisness or industry that has ties or purchased that support package YOUR the one who needs to send the infected files 'cause they pay attention to people that give them tons o' cash.....

:techsupport:
EOF

Edited by awuh0, 07 September 2004 - 04:43 PM.


#89 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 September 2004 - 02:04 AM

Swami, awuh0 , awatson: me too. I guess we'll have to call it the Black Helicopter Trojan since it's just a manifestation of our crack-induced paranoia and not anything that really exists.

Initial symptoms (got progressively worse) were unusual LAN activity on my cable modem, lots of HD activity well beyond the usual XP stuff, somewhat slower boot but really slow shutdown with a ton of disk/LAN activity. Connections to various Asian IPs. TFTP, shared drives, Telnet, Terminal sessions, etc. that I could not stop. Directories with device names (COM1, etc.) that I didn't have permission to no matter how I accessed the disk. Eventually started running out of HD space.

Source? Pirate XP corp, KaZaa ... who knows. I've since repented and paid my MS tax for a legal copy (which wouldn't have made any difference at that point).

NIS, NAV, various firewalls useless or eventually disabled anyway. Too late for AdAware, Spybot, etc. once it has control of your file system. Sometimes they found/fixed, but 'it' always came back.

Different LAN card and HD solved - not sure if LAN card was a factor. Not a BIOS / CMOS virus in my case. BINs matched from past flashing. I only had my screamin' Herc Prophet 4500 video card (because I live in a cardboard box under a bridge) so nVidia not a factor in my case.

I think it keeps alive through at least a couple of hiding places (just speculation - didn't have the $$ tools to prove anything).

1) PXE in ROM on LAN card because I found BIOS was changed to try to boot from it. It was third in line after FDD and HD0 but I never configured it that way. I remember seeing PXE something errors during suprise or forced reboots occasionally, and found my PC running one morning 'all by itself'. Cable modem activity during boot well before XP loaded (more than just the usual DHCP init). I'm guessing my OS was 'upgraded' courtesy of someone half-way around the planet. Or could this be modified to point back into your computer somehow or maybe even load a little shell of it's own? This did not seem to be the primary way it kept alive. Maybe just another layer of protection or a single phase of the overall load? Never happened again after I reconfigured BIOS setting.

2) Hard disk ROM and/or inaccessable sectors of hard disk, either on the system area before Cyl 0 that holds microcode, zone and defect tables, or else the Hardware Protection Area (HPA) which are sectors beyond what your BIOS / OS thinks are the drive's last one. HPA is defined in the ATA spec. Check out this rather troubling post from one of the ATA guys last year:

http://www.mail-arch...g/msg01459.html

Either of these areas are open to exploitation and could be used to redirect any boot or disk call from ANY OS. You have all the major disk makers to thank for this 'feature'. Bonus: malicious code can protect itself by setting the security mode and passwords (maybe even in Chinese?) after reserving it's private little storage area! AV software can't find these sectors - heck, the file system and OS itself is unaware of them. If it's password protected and in high security mode, you're not going to get at them with any software. Only option is to force reinitialize the disk.

Part of most new HD microcode is flashed to a chip, but another part sits on the disk itself in the system area. It's quite possible to hook the firmware there and kick off some beefier code in the HPA. The microcode fires when the BIOS is just trying to identify the disk early in the boot process. Boot from CD? Who cares? The OS could just be loading in a VMM at this point. At the very least, the disk manager is probably being spoofed with some kind of overlay or redirection.

Note that FDISK and most disk utilities will only recognize the user area of a hard drive, cylinder 0 - XXX. The system and defect tables are BEFORE the user area on several earlier cylinders, sometimes negative numbers or SA prefix is used in manufacturer literature when describing them. These are only intended for internal use by the HD and I don't know of any software that can 'read' them. The HPA is also ignored by FDISK, but can be read by some forensic software and can be returned to the user area with other utilities, providing it's not password protected. If the trojan creates a HPA, it looks like your disk lost a chunk of sectors or it's 'apparent' geometry changed. I seem to remember getting messages about the free space needing to be adjusted.

At any rate, I ended up locking the disk after repeated failed attempts to get at the mystery HPA. Had to force reinitialize it, so I wiped out whatever was hiding there. Ran a 3COM utility to overwrite Boot ROM on LAN card. This all happened a few months ago. I could have imagined all of this, but I WANT TO BELIEVE.

Don't waste your time with the drive manufacturers for support. They will be the last to acknowledge their little 'problem'. AV software won't be of much help if it's running in an OS running inside a VMM or the file system is being redirected at the device level.

The truth is out there... as long as you know the correct Chinese password.

#90 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 20 September 2004 - 12:39 PM

could you give a link to what you used to wipe / reformat your lost cylinders...
Im still missing disk space on one of my computers

#91 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 September 2004 - 02:39 PM

awuh0 -

I'll assume you realize that I'm no drive engineer, this is what I understand or rember reading. Your drive may burst into flames and incinerate your computer if you try this.

Your drive manufacturer will usually have an exe to download that creates a bootable disk utilities floppy. Which make/model do you need it for? I can give you a link or just Google. (Please don't use some unknown utility from malware-r-us.com) You MUST run the entire 'Write Zeros to Disk' routine or Force Initialize which may take several hours.

You also need to determine (with the utility if possible) if the drive is

1) Set to use ANY sector offset. If it is, then logical sector 0 is being remapped. You'll end up with an MBR in the middle or end of your disk somewhere. I'm not sure if the manufacturer utility will reset this. By the way, this is how malicious code can boot from the HPA. All it has to do is set an offset to the HPA before your machine shuts down. On the next boot, the first sector of the HPA is actually booting. It does it's nasties, then probably zeros out the offset, resets MAS and passes control back to the real boot sector. You would have no idea this is going on because it's happening before your real OS is even loaded. Your BIOS is just passing control to the first logical sector during boot, but has no idea what real sector the drive is actually considering as 'first' during boot. By time your real boot OS loads, everything is reset and appears quite normal.

2) Get rid of the HPA by setting correct values in the drives parameter tables - hopefully, the manufacturer utility will do this for you. Simply changing the Last or Max Accessable Sector (MAS, LAS or whatever term your vendor uses) to match the Max Native (real) Last Sector and then partitioning and formatting may not fix anything. It 'removes' the HPA, but there's still real code on those sectors. Some of it's helper programs may come back later looking for it.

3) Check the printed specs for your drive with what the utility is reporting for total sectors or Native Last Sector. If the parameter tables in the firmware were hacked, you may just be resetting LSA to a bogus NLS value.

If all goes well, you will have cleaned up the inaccessable HPA sectors at the END of your disk. This does not fix any kind of firmware hack which may live in the drive's ROM or system areas.

I know of nothing that would 'clean' that other than maybe reflashing the drive's firmware. Of course, contacting the manufactur for support about this is a waste of time. They will never admit how easily their drives can be exploited and will refuse to send the factory or OEM BINs out for any reason - don't bother asking. You can check manufacturer or OEM websites to see if they were forced to release an update for some reason, but don't get your hopes up. If they did (and it matches your drive's PCB version, controller chip details, ets. EXACTLY) then it may be worth a shot. The usual flashing cautions apply: it could fry your drive or maybe just update a part of the firmware that fixes nothing.

Your firmware might be fine - I'm just speculating on another possible method of hiding evil code. I suspect this method only because of the ongoing problems with disappearing/reappearing drives in XP and related firmware-like issues, particularly and almost exclusively with new retail or OEM replacement ones. Yes, I know about all the other reasons this may happen, but I'm not satisfied that they are ALWAYS the reason. For instance, the problem spreading to other drives of the same model on the same machine or someone complaining that they eventually had the same problem with a number of replacement drives and finally switched brands. Sounds like firmware hacking to me, but I WANT TO BELIEVE.

Good luck.

#92 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 21 September 2004 - 04:15 AM

what i still dont understand about this thread is why the only people who seem to have come across this thing only have about 30 posts between them.

And they've all seemingly been "dealing with it" for anything up to a year or so.

If you've been "dealing" with a virus / trojan infection for that length of time - you've lost.

Format everything. Replace all your parts.

If this phantom virus / trojan still exists after you've done this, you've lost and we're clearly all doomed.

Take your PC outback and burn it for the good of mankind.

If every single major AV and Trojan-finding company has managed to consistently miss such a mammoth threat for more than a year...

I'm a monkey's uncle.

To coin a phrase -

Show me the money.

#93 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 September 2004 - 10:46 AM

paperghost -

Despite Swami's slightly over-the-top title of "The worst trojan on the net", we're just talking about a RAT / Rootkit or other malicious code that seems to leave the machines vulnerable again after exhaustive virus/trojan removal and even after formatting. If it was a typical executable-bound RAT, then I imagine that "...every single major AV and Trojan-finding company..." would be aware of it by now.

On the other hand: if its bound to firmware in one of the device PROMs, then it would be a little more difficult to detect since NO AV or Trojan-finding company scans them. If its ATA-controller based, then the file system is probably already compromised by time the OS or any type of scanner loads. If its NIC-based, then your internet or LAN is already compromised before the OS or your firewall loads. Even rootkit detectors all depend on what is visible to them after all the devices have been initialized, i.e., after their (easily updateable) firmware has run.

Here's another person with a somewhat similar imaginary problem from a year and a half ago. And, no - it's not me. The link is to a Google-cached post originally to ExpertsExchange. The original post has since been deleted - you're not a mod there, are you paperghost?

http://www.google.co...otkit pxe&hl=en

This isn't a 'super virus', nor does it pose a 'mammoth threat'. It's just another variation of an old threat that I want to be able to detect, clean and prevent. The fact that it's not widespread or clearly understood means nothing to someone wasting hours trying to clean it off their machine. People came here just looking for some help. I don't remember reading in the TOS that all new posters must prove that they really have a problem to paperghost's satisfaction before any help is offered. Show you the money, indeed! Why are you so dismissive?

#94 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 21 September 2004 - 12:37 PM

I believe the "put your money where your mouth is" comment was mine, not Paperghost's.

But the comment stands.
So far all we have seen is theoretical stuff.
Until there is "proof of concept", people will have difficulty believing :)

#95 paperghost

paperghost

    Member

  • Full Member
  • Pip
  • 88 posts

Posted 21 September 2004 - 01:14 PM

we're just talking about a RAT / Rootkit or other malicious code that seems to leave the machines vulnerable again after exhaustive virus/trojan removal and even after formatting.


well if that doesnt sound like potentially mammoth threat to security then i don't know what is.

plus, almost everyone on here who has claimed to have encountered this thing has built it up to be something almost demonic in its apparent "evilness".

Here's another person with a somewhat similar imaginary problem from a year and a half ago.


People can still make things up from a year and a half ago. And i seriously doubt someone with such a major problem on their network would be so flippant in their posting of it. Personally, I'd be panicking my backside off. Seems funny the post has now gone walkies, there's stuff on there archived well before that date that's still floating around.

I don't remember reading in the TOS that all new posters must prove that they really have a problem to paperghost's satisfaction before any help is offered.


I don't remember seeing that it doesn't. Plus, I'm not offering any help, merely my opinion on this thread's content. Plus, if anyone wants to "help" (in as much as that's possible given the elusive natue of this trojan) then I didn't say i was stopping them, did I? But then, I don't remember seeing in the TOS that Paperghost wasn't allowed to mention the apparent lack of proof despite 7 pages, 93 replies and 16,678 pageviews.

My original questions still stand - why do the only people that seem to be afflicted by this only have a handful of posts between them? Surely there are a stack of people who actively clean out trojans / virus threats / HJT logs on a daily basis (myself included) who may come into contact with the underground more than a suit who works for Symantec, who would surely have either come across this themselves, or been asked for help by someone who was displaying this trojan's symptoms? Apparently not.

And surely a "Symantec suit" (for want of a better phrase) would still have stumbled upon it eventually. Apparently not.

Surely people would have this thing pasted all over other helper boards at some point such as those in the ASAP network, or security-forums, or any of the shedload of boards on the main anti-hacker websites such as Antionline etc. Apparently not.

Why are you so dismissive?


Because 7 pages, 93 replies and 16,678 pageviews, we're still none the wiser.

Show me the money indeed.

Edited by paperghost, 21 September 2004 - 01:15 PM.


#96 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 28 September 2004 - 05:31 PM

someone give me a link to some software that can take an image of a usb key and I will give you an image of the virus on an infection medium...

USB key info
Kingston USB - 128 MB
actual size 122mb
current size 102mb

need image sofware that will capture the 'hidden partion' as well please reply soon...

#97 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 29 September 2004 - 02:47 AM

You can use just about any version of Ghost, provided you have a motherboard that supports boot from said USB device.

But be careful who you send it to.
Awatson complained about security providers ot taking him seriously.

If you experience the same problem, but are hesistant about providing it to forum members, try sending it to Mike.

He should have sufficient standing and contacts in the security community to get some qualified help...

#98 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 30 September 2004 - 08:43 PM

If you don't have access to Symantec (Norton) Ghost -- which is not free -- you can try:

http://www.x-ways.ne...ex/index-m.html

The downloadable demo version of WinHEX has quite a bit of functionality. It will read a device in RAW mode - you should be able to examine the last 20mb of the sectors on your key and save whatever is in there. There's some menu command to dump a range of sectors directly to a bin file.

Another option: you might also try to see if your key really has more than one partition by examining its partition table directly. PartitionInfoNT (works on XP), part of the pre-Symantec PartitionMagic, is still available on their site here:

ftp://ftp.symantec.com/public/english_us_...es/PartInNT.zip

You can unzip it and start it from an XP command prompt or using START -> RUN... If the last 20mb actually is a partition and happens to use FAT or NTFS file systems, you might also be able to see file names.

If it was NTFS or FAT and you wanted to try and unhide the partition, you could change its type using PTEDIT. In case anyone else plans on using this tool for troubleshooting, note that it WILL directly edit the partition table of any writeable disk and could totally screw them up - be sure you have a PAPER printout of the PartInNT tables of all your disks for reference before you think about changing anything.

ftp://ftp.symantec.com/public/english_us_...es/PTEDIT32.zip

If these utilities do not show more than the one existing partiton, then the remaining space may be hidden by fake max sector or C/H/S values, kind of like HPAs. This area could also be password protected and inaccessable through other methods - I'm not sure if a USB key can even use the same locking method that a regular ATA drive does.

Let us know what you find.

#99 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 01 October 2004 - 09:51 AM

thanks alot ThisSideTowardsEnemy, these are the kinda of tools I was looking for, will work on it soon.

#100 awuh0

awuh0

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 05 October 2004 - 10:04 PM

Unfortunately I was not able to get a image of the disk...
I did however get screen shots of it infecting a system
see pictures...

edit: the board is not letting me attach pictures to here is a text replica of the install process.

When the virus is installed it displays a message box exactly as follows.
______________________________________________________________________
System Settings Change

Windows has finished installing new cevices. The software that supports your device
requires that you restart your computer. You must restart your computer before the
new settings will take effect.

Do you want to restart you computer now?

Yes No
______________________________________________________________________

Please note that this is not a traditional windows message box, and that services is misspelled, unless Microsoft has had this misspelling this whole time. :rolleyes:

Using process explorer I located the offending process.

Command Line info
rundll32.exe newdev.dll,ClientSideInstall \\.\pipe\PNP_Device_Install_Pipe_0{00E97B7C-E2A4-4C68-B560-781B48AC9928}

If something was done about my inability to post pictures I would also show the screen shots if necessary.

Edited by awuh0, 06 October 2004 - 03:08 AM.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button